Since about a week, a Java logging library named Log4j is keeping server administrators and security experts busy. This library allows the execution of code by a simple string input.
This can be a manipulated log-in, a comment or a simple chat message.
Basically, all Apache servers on this planet are a possible target for an attack. Security experts estimate hundreds of million servers. Security like firewall or VPN doesn’t work in this case.
Since it’s so simple, a lot of automated scans for vulnerability can be registered. We, at CLOUGLOBAL noticed the first large attack wave already on Dec2, without knowing the background. The credits for discovering are with Chen Zhaojun from Alibaba Cloud.
The list of affected companies is endless, here are only some examples to understand the impact:
- Apple iCloud
- Google Cloud
What is the Impact?
For you, as a client with a browser, it’s not much. You might encounter that several services have a preventive shoot down, like various governmental services. Or, a comment function respective a log-in is temporarily blocked.
The real problem occurs at the server site. Since the attack can be easily performed, it’s a race against time. Especially nasty, payload can be retrieved at any time if the server is affected.
I see now the phase 1, where mass-scans are filtering out all potential targets. In phase 2 the servers will be encrypted by ransomware. Year 2022 will become interesting in this regard.
This bug exists since years, so whenever you are guessing why a server is compromised, this can be a possible explanation.
For CLOUGLOBAL, we are running our primary systems without Java. Nevertheless, our security team is investigating all interactions with 3rd party tools.
Christmastime is busy.
Meanwhile, security researchers have tracked down variants of the Mirai botnet drones that attack worm-like vulnerable servers and spread automatically.
In addition, the heavily active blackmailer group Conti has jumped on the Log4j bandwagon and uses the vulnerability to penetrate servers and networks and set up their ransomware. Cybergang sells the accesses obtained in this way, their business model is called Ransomware-as-a-Service.
The first deployed ransomware is TellYouThePass. Seems that the either main target is China or the Chinese security IT is more alert and monitors closely.
Thanks for reading.
Take care of yours and your data, and stay safe.
How a Java Library stole Christmas